Blog post

SonarSource acquires RIPS Technologies

Olivier Gaudin photo

Olivier Gaudin

CEO & Co-founder

Date

  • Security
  • Announcement
Teams will be joining forces in building best-in-class Static Application Security Testing (SAST) products that help development teams and organizations deliver more secure software.

I am very happy to announce that SonarSource has acquired RIPS Technologies, a German startup founded in 2016, also known as The Technology Leader in Static Application Software Testing (SAST). RIPS-TECH is famous in the SAST industry for the precision and speed of its static analyzers. You can read the official Press Release announcement here.


For those who follow SonarSource since a while, you know that we are proponents of continuous improvement and we do not go for big revolutions. Still, I truly believe that this acquisition is an event that will have a large impact for the future of the company, similar to what happened when we introduced SonarLint for IDEs, or when we launched the decoration of Pull Requests. In other words, this is a game changer. 


SonarSource was founded in 2008 with a goal of providing code quality tooling to all developers and development teams. I believe the massive popularity, adoption and usage of all of our products today speaks for itself and that we have succeeded with this goal. As we went along, we started to also add some security features in our products and 3 years ago, we decided to go into the security market with a similar goal. Two years ago we released the first version of our security engine, last year we officially launched it as part of SonarQube 7.9 and had some good success with it already.


This acquisition will enable us to reach our ambitious goal to empower all developers and development teams to truly own and impact the security of their codebase.


And this is the end of the short story about this acquisition. For the ones interested, here is the longer one :)

What is our vision?

One of the things that drives us at SonarSource is impact. And we believe that only developers can have a sustainable impact on Code Quality and Code Security. At the end of the day, they are the ones changing the code, right?


This is why we made the choice to build developer-first products, i.e. products that bring value to developers, before and above anyone else. To succeed in this, we feel it is important to be deep in the analysis. We believe this is equally important that the data is accurate, shown in the right place at the right time and to the right person. 


What we want to build for security is a solution that fully integrates the development process of teams, starting in the IDE up to the release process to production, and where it is possible for all stakeholders to understand the security of the code they are dealing with and to enable rapid correction. Of course, by enabling the practice to kick-off in the IDE, we are drastically reducing the work required later on in the process. 


We also believe that the quality of the data that we present to developers is essential for the engagement of the developer in the practice. This means of course that we should hunt false positives and false negatives, but we believe that we actually go further than simply this. We believe this is extremely important that we present the information for what it is, not trying to show off when our product can find something. For that very reason, we decided to separate what we call Security Vulnerabilities - code that requires a fix - from what we call Security Hotspots - code that requires a review - and to provide a process flow to do the review. That way, we make it crystal clear to developers the reason why we flag code and we believe that this will be a strong driver for adoption.


Once we have this, we believe we are able to grow the existing security market far beyond Fortune1K, as we have done before with Code Quality. And I think we will be the undisputed leader of this grown market.

Why does this acquisition make sense?

If you managed to read until this point, I suppose you now start to understand why this acquisition makes sense. On one hand, SonarSource is a very efficient company that has 3 massively adopted products SonarQube, SonarLint and SonarCloud for Code Quality and Code Security. We entered the latter only 2 years ago and our analyzers are still young. On the other hand, RIPS technologies have developed very precise and fast security analyzers for a number of years. By combining the 2 technologies, we believe we will have a solution that supports the vision above. 


We also plan to create a dedicated security research team that is going to be headed by Johannes Dahse, the CEO and co-founder of RIPS Technologies. We do not only want to develop and lead this market, we also want to innovate and be the ones that show the way.


But there is more… When we started to talk to RIPS Technologies, we discovered a company that has similar values and drivers to SonarSource’s: product focused, passionate and very geeky. So we felt that they were not only complementary but also very compatible. And it looks like this is going to be a great human experience!


I am very happy that 25 RIPSlers joined the 145 SonarSourcers and that, after Geneva (Switzerland), La Roche-sur-Foron (France), Austin (Texas), we now have our 4th office in Bochum, Germany.


Olivier Gaudin
CEO & Co-founder
SonarSource